image
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project. Currently, the project manager is Nanni Bassetti (Bari – Italy). CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface. The main design objectives that CAINE aims to guarantee are the following: an interoperable environment that supports the digital investigator during the four phases of the digital investigation a user-friendly graphical interface user-friendly tools CAINE represents fully the spirit of the Open Source philosophy because the project is completely open, everyone could take on the legacy of the previous developer or project manager. The distro is open source, the Windows side is freeware and, the last but not least, the distro is installable, thus giving the opportunity to rebuild it in a new brand version, so giving a long life to this project… The important news is CAINE 11.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named BlockON/OFF present on CAINE's Desktop. This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode. If you need to write a disk, you can unlock it with BlockOn/Off or using "Mounter" changing the policy in writable mode. CAINE is always…

image
Graphical tool for reverse engineering of Angular projects. It allows you to navigate in the structure of your application and observe the relationship between the different modules, providers, and directives. The tool performs static code analysis which means that you don't have to run your application in order to use it. How to use? macOS Go to the releases page . Download the latest *.dmg file. Install the application. Linux Go to the releases page . Download the latest *.AppImage file. Run the *.AppImage file (you may need to chmod +x *.AppImage ). Windows Go to the releases page . Download the latest *.exe file. Install the application. Creating a custom theme You can add your own theme by creating a [theme-name].theme.json file in Electron [userData]/themes . For a sample theme see Dark . Application Requirements Your application needs to be compatible with the Angular's AoT compiler (i.e. you should be able to compile it with ngc ). Using with Angular CLI Open the Angular's application directory. Make sure the dependencies are installed. Open ngrev . Click on Select Project and select [YOUR_CLI_APP]/src/tsconfig.app.json . Using with Angular Seed Open the Angular's application directory. Make sure the dependencies are installed. Open ngrev . Click on Select Project and select [YOUR_CLI_APP]/src/client/tsconfig.json . Demo Demo here . Download…

image
_ functrace _ is a tool that helps to analyze a binary file with dynamic instrumentation using _ DynamoRIO _ ( http://dynamorio.org/ ). These are some implemented features (based on DynamoRIO): disassemble all the executed code disassemble a specific function (dump if these are addresses) get arguments of a specific function (dump if these are addresses) get return value of a specific function (dump if this is an address) monitors application signals generate a report file _ ghidra _ ( https://ghidra-sre.org/ ) coverage script (based on the functrace report file) Setup $ wget https://github.com/DynamoRIO/dynamorio/releases/download/release_7_0_0_rc1/DynamoRIO-Linux-7.0.0-RC1.tar.gz $ tar xvzf DynamoRIO-Linux-7.0.0-RC1.tar.gz OR $ wget https://github.com/DynamoRIO/dynamorio/releases/download/cronbuild-7.91.18047/DynamoRIO-x86_64-Linux-7.91.18047-0.tar.gz $ tar xvzf DynamoRIO-x86_64-Linux-7.91.18047-0.tar.gz You can also clone and compile directly DynamoRIO $ git clone https://github.com/invictus1306/functrace $ mkdir -p functrace/build $ cd functrace/build $ cmake .. -DDynamoRIO_DIR=/full_DR_path/cmake/ $ make -j4 Using functrace $ drrun -c libfunctrace.so -report_file report — target_program [args] Options The following _ [functrace] _ ( https://github.com/invictus1306/functrace ) options are supported: -disassembly -> disassemble all the functions -disas_func function_name -> disassemble only the…

image
A CLI application that automatically prepares Android APK files for HTTPS inspection Inspecting a mobile app's HTTPS traffic using a proxy is probably the easiest way to figure out how it works. However, with the Network Security Configuration introduced in Android 7 and app developers trying to prevent MITM attacks using certificate pinning , getting an app to work with an HTTPS proxy has become quite tedious. apk-mitm automates the entire process. All you have to do is give it an APK file and apk-mitm will: decode the APK file using Apktool modify the app's AndroidManifest.xml to make it debuggable modify the app's Network Security Configuration to allow user-added certificates insert return-void opcodes to disable certificate pinning logic encode the patched APK file using Apktool sign the patched APK file using uber-apk-signer You can also use apk-mitm to patch apps using Android App Bundle and rooting your phone is not required. Usage If you have an up-to-date version of Node.js (8.2+) and Java (8+), you can run this command to patch an app: $ npx apk-mitm <path-to-apk> So, if your APK file is called example.apk , you'd run: $ npx apk-mitm example.apk ✔ Decoding APK file ✔ Modifying app manifest ✔ Modifying network security config ✔ Disabling certificate pinning ✔ Encoding patched APK file ✔ Signing patched APK file Done! Patched APK: ./example-patched.apk You can now install the…

image
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Java : response.sendRedirect("http://www.mysite.com"); PHP : <?php /* Redirect browser */ header("Location: http://www.mysite.com"); ?> ASP .NET : Response.Redirect("~/folder/Login.aspx") Rails : redirect_to login_path In the examples above, the URL is being explicitly declared in the code and cannot be manipulated by an attacker. Dangerous URL Redirects The following examples demonstrate unsafe redirect and forward code. Dangerous URL Redirect Example 1 The following Java code receives the URL from the parameter named url (GET or POST) and redirects to that URL: response.sendRedirect(request.getParameter("url")); The following PHP code obtains a URL from the query string (via the parameter named url) and then redirects the user…

image
Antbot.pw provides a free, open API endpoint for checking a domain or email address against a frequently-updated list of disposable domains. CORS is enabled for all originating domains, so you can call the API directly from your client-side code. GET https://antibot.pw/api/ [email protected] HTTP/1.1 The response will be JSON with one boolean property, e.g. {"disposable":false} Using jQuery? <script> $( "#email" ).change(function() { var val = $("#email").val(); $.get(‘https://antibot.pw/api/disposable?email='+val, function (data, textStatus) { if(data[‘disposable'] == true){ alert("email disposable"); } }); }); </script> Download…

image
RetDec is a retargetable machine-code decompiler based on LLVM . The decompiler is not limited to any particular target architecture, operating system, or executable file format: Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code Supported architectures: 32-bit: Intel x86, ARM, MIPS, PIC32, and PowerPC 64-bit: x86-64, ARM64 (AArch64) Features: Static analysis of executable files with detailed information. Compiler and packer detection. Loading and instruction decoding. Signature-based removal of statically linked library code. Extraction and utilization of debugging information (DWARF, PDB). Reconstruction of instruction idioms. Detection and reconstruction of C++ class hierarchies (RTTI, vtables). Demangling of symbols from C++ binaries (GCC, MSVC, Borland). Reconstruction of functions, types, and high-level constructs. Integrated disassembler. Output in two high-level languages: C and a Python-like language. Generation of call graphs, control-flow graphs, and various statistics. For more information, check out our Wiki (in progress) Botconf 2017 talk: slides , video REcon Montreal 2018 talk: slides Publications Installation and Use Currently, we support Windows (7 or later), Linux, macOS, and (experimentally) FreeBSD. An installed version of RetDec requires approximately 4 GB of free disk space. Windows Either download and unpack a pre-built package , or build…

image
Concept behind Seeker is simple, just like we host phishing pages to get credentials why not host a fake page that requests your location like many popular location based websites. Read more on thewhiteh4t's Blog .Seeker Hosts a fake website on In Built PHP Server and uses Serveo to generate a link which we will forward to the target, website asks for Location Permission and if the target allows it, we can get : Longitude Latitude Accuracy Altitude – Not always available Direction – Only available if user is moving Speed – Only available if user is moving Along with Location Information we also get Device Information without any permissions : Operating System Platform Number of CPU Cores Amount of RAM – Approximate Results Screen Resolution GPU information Browser Name and Version Public IP Address IP Address Reconnaissance This tool is a Proof of Concept and is for Educational Purposes Only, Seeker shows what data a malicious website can gather about you and your devices and why you should not click on random links and allow critical permissions such as Location etc. How is this Different from IP GeoLocation Other tools and services offer IP Geolocation which is NOT accurate at all and does not give location of the target instead it is the approximate location of the ISP. Seeker uses HTML API and gets Location Permission and then grabs Longitude and Latitude using GPS Hardware which is present in the device, so…

image
A simple CORS misconfiguration scanner Based on the research of James Kettle CORStest is a _ quick & dirty _ Python 2 tool to find Cross-Origin Resource Sharing ( CORS ) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs. Currently, the following potential vulnerabilities are detected by sending a certain Origin request header and checking for the Access-Control-Allow-Origin response header: Developer backdoor: Insecure dev origins like JSFiddle or CodePen are allowed to access this resource Origin reflection: The origin is simply echoed in ACAO header, any site is allowed to access this resource Null misconfiguration: Any site is allowed to access by forcing the null origin via a sandboxed iframe Pre-domain wildcard: _ not _ domain.com is allowed access, which can simply be registered by an attacker Post-domain wildcard: domain.com. _ evil.com _ is allowed access, which can be registered by an attacker Subdomains allowed: _ sub _ .domain.com allowed access, exploitable if attacker finds XSS in any subdomain Non-ssl sites allowed: A http origin is allowed access to a https resource, allows MitM to break encryption Invalid CORS header: Wrong use of wildcard or multiple origins, not a security problem but should be fixed Note that these vulnerabilities/misconfigurations are dependend on the context. In most scenarios, they can only be exploited by an attacker if the…

image
Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename. More info about this technique can be found in the following whitepaper: https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, else HKLM)SOFTWAREMicrosoftWindowsCurrentVersionRun" Usage To Create hidden registry (Run) key: SharpHide.exe action=create keyvalue="C:WindowsTempBla.exe" To Create a hidden registry (Run) key with parameters: SharpHide.exe action=create keyvalue="C:WindowsTempBla.exe" arguments="arg1 arg2" Delete hidden registry (Run) key: SharpHide.exe action=delete This tool also works with Cobalt Strike's execute-assembly. Credits Author: Cornelis de Plaa (@Cneelis) / Outflank Download…